SIMP Compliance Engine
  1. SIMP Compliance Engine
  2. Compliance Profile customization
  3. SIMP Compliance Engine - Data examples
  4. SIMP Compliance Engine reference

Compliance Profile customization

The format for SIMP Compliance Engine data is fully described here.

Custom SCE Profiles

If you have a Puppet class that looks like this:

class profile::ssh_server (
  Enum['yes', 'no'] $permit_root_login = 'yes',
) {
  sshd_config { 'PermitRootLogin': value => $permit_root_login }
}

And you have compliance data that looks like this (comments optional):

---
version: 2.0.0                 # Required in every file read by SCE

profiles:
  my_profile:                  # Named profile, enabled by name in hiera
    checks:                    # All checks contained in the profile
      disable_root_login: true # Use the key from the checks hash!

checks:
  disable_root_login:          # Check name, used above in a profile
    type: puppet-class-parameter
    settings:
      # The name of the Puppet parameter, the name used in hiera
      parameter: profile::ssh_server::permit_root_login
      # The policy compliant value
      # It's quoted here because otherwise yaml would convert it to a boolean
      value: "no"

The following also needs to be set in Hiera to select the profile to enforce:

---
compliance_markup::enforcement:
  - 'my_profile'

During catalog compilation, Puppet will perform a lookup on the class parameter profile::ssh_server::permit_root_login. If set up properly, the SCE will be referenced by Puppet’s automatic parameter lookup and it return "no", forcing that parameter to be set to "no". After Puppet finishes running, the system will reflect the enforcement and the PermitRootLogin setting for sshd will be set to no.

You can also create a new profile using the compliant configuration settings we provide with the included profiles.

As an example, this custom profile configures the Account Lockout settings and auditing using the settings provided with the Windows DISA Stig compliance data:

---
version: 2.0.0                 # Required in every file read by SCE

profiles:
  my_profile:account_lockout_settings_only: # Named profile, enabled by name in hiera
    checks: # Settings to enforce with the profile
      oval:com.puppet.forge.simp-windows.local_security_policies.account-lockout-threshold:def:1: true
      oval:com.puppet.forge.simp-windows.local_security_policies.reset-account-lockout-counter-after:def:1: true
      oval:com.puppet.forge.simp-windows.local_security_policies.account-lockout-duration:def:1: true
      oval:com.puppet.forge.simp-windows.audit_policies.account-lockout-success:def:1: true
      oval:com.puppet.forge.simp-windows.audit_policies.account-lockout-failure:def:1: true

Then add the profile to the enforcement list in hiera:

---
compliance_markup::enforcement:
  - 'my_profile:account_lockout_settings_only'

Customizing Existing Profiles

In the compliance data provided with SIMP Enterprise, the profile contains a list of Configuration Elements. Each Configuration Element is a translation of a single recommendation from an industry standard benchmark. The Configuration Elements tie the configuration settings required for compliance back to the profile.

To modify which benchmark recommendations are applied to your systems, use the compliance_map function to disable the Configuration Elements referencing the settings you want to disable.

Let’s assume you are enforcing the disa:mac-1:classified profile on a Windows 2019 system, and have decided that V-92965, Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems is too restrictive for your environment.

Add the following to a hieradata file that will apply to the desired system:

---
compliance_markup::compliance_map:
  version: 2.0.0
  profiles:
    disa:mac-1:classified: # Profile to customize, enabled by name in hiera
      ces:  # Configuration Elements included in this profile.
        oval:simp.disa.V-92965:def:1: false # Set true to enable the CE, false to disable

Make sure the profile is in the enforcement list in hieradata:

---
compliance_markup::enforcement:
  - disa:mac-1:classified

Some enforced configuration settings are exposed as Puppet class paramters and can be directly modified through hiera data. Details of those settings are found in the individual module documentation.